Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
843
Views
7
Helpful
2
Replies

ISE 2.1 Cisco IP Phone dot1.x Authentication

Go to solution
rclemeng
Level 1
Level 1

‎05-02-2017 06:35 AM

Hey Guys, hope I can get some help here.  I have a situation where I have some Cisco IP Phones same model but different hardware revisions, (7841 v01 and v04)  We had ISE 1.2 in place and everything worked great.  Phone would authenticate no problem. The ISE was upgraded to 2.1 and now a subset of phones(seem to be the version 04) will not authenticate.If I  revert the phones back to use the 1.2 version, they work again.  The ISE is saying it is getting an empty TLS packet. Looking at the PCAP coming from the ISE to the Phone we see the ISE send the Server Hello.  According to the phone logs we are sending our certificate.  Interesting thing, and my question here:  both phones are talking to the same ISE 2.1 using the same switch port.(I unplug one phone and plug the other one in)  In the working phone in the PCAP I can see something called a heartbeat extension in the Server hello frames under TLS.  I don't see that in the non working version.  even though both are using the same TLS version according to the PCAP.  Is there any configuration in the ISE that would cause the heartbeat extension in one scenario but not another?

Above is the working

1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎05-02-2017 01:25 PM

ISE 2.0 adds support for TLS 1.1 and 1.2. Prior to ISE 2.0, the TLS exchange will be negotiated to TLS 1.0.

Thus, it seems possibly some incompatibility of TLS 1.2 between the IP phone firmware and ISE 2.0+.

If not already done, please open a case with our Cisco TAC so we may gather more data to ensure re-producibility for a bug filing.

View solution in original post

2 Replies 2

Go to solution
hslai
Cisco Employee
Cisco Employee

‎05-02-2017 01:25 PM

ISE 2.0 adds support for TLS 1.1 and 1.2. Prior to ISE 2.0, the TLS exchange will be negotiated to TLS 1.0.

Thus, it seems possibly some incompatibility of TLS 1.2 between the IP phone firmware and ISE 2.0+.

If not already done, please open a case with our Cisco TAC so we may gather more data to ensure re-producibility for a bug filing.

Go to solution
rclemeng
Level 1
Level 1
In response to hslai

‎05-02-2017 05:48 PM

Thank you for the reply.

I have a TAC case open with the CUCM team for the phones which has the Des engaged. I will get them to open a collaboration with the ISE TAC as well.

Robert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents